APT / THREAT GROUP💰 FINANCIAL

payload

68
victims
1
campaigns
1
aliases

Intelligence Profile

Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems with cross-platform double-extortion attacks against healthcare, energy, real estate, and agriculture sectors, claiming 12 victims across seven countries within hours of launching its leak site.

Threat Analysis

payload is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like payload prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Ransomware Victims (68)

CTIWATCH tracks 68 organizations claimed as victims by payload on its data leak site, with attack dates, sectors and countries.

View full victims list →

Known Campaigns

Payload — Active Campaign April 2026

Payload is conducting an active ransomware campaign targeting organizations across 8 countries. Primary targets: Energy, Financial Services, Manufacturing. 9 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 8 Apr 2026).

🎯 Energy🎯 Financial Services🎯 Manufacturing
ACTIVEMEDIUM2026

Intelligence Reports Mentioning payload

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Aliases1

Also Known As

payload

DLS Infrastructure

● ONLINEpayloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd.onion
○ OFFLINEpayloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd.onion
● ONLINEpayload6eualw6kni6v2lqn7ovjcl76ojx25z5unsyvqo3lbqy3bo5qd.onion

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.